English-Video.net comment policy

The comment field is common to all languages

Let's write in your language and use "Google Translate" together

Please refer to informative community guidelines on TED.com

TEDGlobal 2011

Mikko Hypponen: Fighting viruses, defending the net

Filmed
Views 1,668,081

It's been 25 years since the first PC virus (Brain A) hit the net, and what was once an annoyance has become a sophisticated tool for crime and espionage. Computer security expert Mikko Hyppönen tells us how we can stop these new viruses from threatening the internet as we know it.

- Cybersecurity expert
As computer access expands, Mikko Hypponen asks: What's the next killer virus, and will the world be able to cope with it? And also: How can we protect digital privacy in the age of government surveillance? Full bio

I love the Internet.
00:15
It's true.
00:18
Think about everything it has brought us.
00:20
Think about all the services we use,
00:22
all the connectivity,
00:25
all the entertainment,
00:27
all the business, all the commerce.
00:29
And it's happening during our lifetimes.
00:32
I'm pretty sure that one day
00:35
we'll be writing history books
00:38
hundreds of years from now. This time
00:40
our generation will be remembered
00:43
as the generation that got online,
00:46
the generation
00:49
that built something really and truly global.
00:51
But yes, it's also true
00:54
that the Internet has problems, very serious problems,
00:57
problems with security
01:00
and problems with privacy.
01:03
I've spent my career
01:06
fighting these problems.
01:08
So let me show you something.
01:11
This here
01:15
is Brain.
01:17
This is a floppy disk
01:19
-- five and a quarter-inch floppy disk
01:21
infected by Brain.A.
01:23
It's the first virus we ever found
01:25
for PC computers.
01:27
And we actually know
01:30
where Brain came from.
01:32
We know because it says so
01:34
inside the code.
01:36
Let's take a look.
01:38
All right.
01:45
That's the boot sector of an infected floppy,
01:48
and if we take a closer look inside,
01:51
we'll see that right there,
01:54
it says, "Welcome to the dungeon."
01:56
And then it continues,
02:00
saying, 1986, Basit and Amjad.
02:02
And Basit and Amjad are first names,
02:05
Pakistani first names.
02:08
In fact, there's a phone number and an address in Pakistan.
02:10
(Laughter)
02:13
Now, 1986.
02:18
Now it's 2011.
02:21
That's 25 years ago.
02:23
The PC virus problem is 25 years old now.
02:25
So half a year ago,
02:29
I decided to go to Pakistan myself.
02:31
So let's see, here's a couple of photos I took while I was in Pakistan.
02:34
This is from the city of Lahore,
02:37
which is around 300 kilometers south
02:39
from Abbottabad, where Bin Laden was caught.
02:41
Here's a typical street view.
02:44
And here's the street or road leading to this building,
02:47
which is 730 Nizam block at Allama Iqbal Town.
02:50
And I knocked on the door.
02:54
(Laughter)
02:56
You want to guess who opened the door?
02:58
Basit and Amjad; they are still there.
03:00
(Laughter)
03:02
(Applause)
03:04
So here standing up is Basit.
03:08
Sitting down is his brother Amjad.
03:11
These are the guys who wrote the first PC virus.
03:14
Now of course, we had a very interesting discussion.
03:17
I asked them why.
03:20
I asked them how they feel about what they started.
03:22
And I got some sort of satisfaction
03:25
from learning that both Basit and Amjad
03:28
had had their computers infected dozens of times
03:31
by completely unrelated other viruses
03:34
over these years.
03:36
So there is some sort of justice
03:38
in the world after all.
03:40
Now, the viruses that we used to see
03:44
in the 1980s and 1990s
03:46
obviously are not a problem any more.
03:48
So let me just show you a couple of examples
03:51
of what they used to look like.
03:53
What I'm running here
03:55
is a system that enables me
03:57
to run age-old programs on a modern computer.
03:59
So let me just mount some drives. Go over there.
04:02
What we have here is a list of old viruses.
04:05
So let me just run some viruses on my computer.
04:08
For example,
04:11
let's go with the Centipede virus first.
04:13
And you can see at the top of the screen,
04:15
there's a centipede scrolling across your computer
04:17
when you get infected by this one.
04:19
You know that you're infected
04:21
because it actually shows up.
04:23
Here's another one. This is the virus called Crash,
04:25
invented in Russia in 1992.
04:28
Let me show you one which actually makes some sound.
04:30
(Siren noise)
04:34
And the last example,
04:40
guess what the Walker virus does?
04:42
Yes, there's a guy walking across your screen
04:44
once you get infected.
04:46
So it used to be fairly easy to know
04:48
that you're infected by a virus,
04:51
when the viruses were written by hobbyists
04:54
and teenagers.
04:56
Today, they are no longer being written
04:58
by hobbyists and teenagers.
05:00
Today, viruses are a global problem.
05:02
What we have here in the background
05:05
is an example of our systems that we run in our labs,
05:07
where we track virus infections worldwide.
05:10
So we can actually see in real time
05:12
that we've just blocked viruses in Sweden and Taiwan
05:14
and Russia and elsewhere.
05:17
In fact, if I just connect back to our lab systems
05:19
through the Web,
05:22
we can see in real time
05:24
just some kind of idea of how many viruses,
05:26
how many new examples of malware we find every single day.
05:29
Here's the latest virus we've found,
05:32
in a file called Server.exe.
05:34
And we found it right over here three seconds ago --
05:36
the previous one, six seconds ago.
05:39
And if we just scroll around,
05:41
it's just massive.
05:44
We find tens of thousands, even hundreds of thousands.
05:46
And that's the last 20 minutes of malware
05:49
every single day.
05:52
So where are all these coming from then?
05:54
Well today, it's the organized criminal gangs
05:57
writing these viruses
06:01
because they make money with their viruses.
06:03
It's gangs like --
06:05
let's go to GangstaBucks.com.
06:07
This is a website operating in Moscow
06:10
where these guys are buying infected computers.
06:13
So if you are a virus writer
06:17
and you're capable of infecting Windows computers,
06:19
but you don't know what to do with them,
06:21
you can sell those infected computers --
06:23
somebody else's computers -- to these guys.
06:25
And they'll actually pay you money for those computers.
06:27
So how do these guys then monetize
06:31
those infected computers?
06:34
Well there's multiple different ways,
06:36
such as banking trojans, which will steal money from your online banking accounts
06:38
when you do online banking,
06:41
or keyloggers.
06:44
Keyloggers silently sit on your computer, hidden from view,
06:47
and they record everything you type.
06:51
So you're sitting on your computer and you're doing Google searches.
06:54
Every single Google search you type
06:57
is saved and sent to the criminals.
06:59
Every single email you write is saved and sent to the criminals.
07:02
Same thing with every single password and so on.
07:05
But the thing that they're actually looking for most
07:09
are sessions where you go online
07:11
and do online purchases in any online store.
07:13
Because when you do purchases in online stores,
07:16
you will be typing in your name, the delivery address,
07:18
your credit card number and the credit card security codes.
07:21
And here's an example of a file
07:24
we found from a server a couple of weeks ago.
07:26
That's the credit card number,
07:28
that's the expiration date, that's the security code,
07:30
and that's the name of the owner of the card.
07:32
Once you gain access to other people's credit card information,
07:34
you can just go online and buy whatever you want
07:37
with this information.
07:39
And that, obviously, is a problem.
07:42
We now have a whole underground marketplace
07:44
and business ecosystem
07:48
built around online crime.
07:51
One example of how these guys
07:54
actually are capable of monetizing their operations:
07:56
we go and have a look at the pages of INTERPOL
07:59
and search for wanted persons.
08:02
We find guys like Bjorn Sundin, originally from Sweden,
08:04
and his partner in crime,
08:07
also listed on the INTERPOL wanted pages,
08:09
Mr. Shaileshkumar Jain,
08:11
a U.S. citizen.
08:13
These guys were running an operation called I.M.U.,
08:15
a cybercrime operation through which they netted millions.
08:18
They are both right now on the run.
08:21
Nobody knows where they are.
08:24
U.S. officials, just a couple of weeks ago,
08:26
froze a Swiss bank account
08:28
belonging to Mr. Jain,
08:30
and that bank account had 14.9 million U.S. dollars on it.
08:32
So the amount of money online crime generates
08:36
is significant.
08:39
And that means that the online criminals
08:41
can actually afford to invest into their attacks.
08:43
We know that online criminals
08:46
are hiring programmers, hiring testing people,
08:48
testing their code,
08:51
having back-end systems with SQL databases.
08:53
And they can afford to watch how we work --
08:56
like how security people work --
08:59
and try to work their way around
09:01
any security precautions we can build.
09:03
They also use the global nature of Internet
09:05
to their advantage.
09:08
I mean, the Internet is international.
09:10
That's why we call it the Internet.
09:12
And if you just go and take a look
09:14
at what's happening in the online world,
09:16
here's a video built by Clarified Networks,
09:19
which illustrates how one single malware family is able to move around the world.
09:21
This operation, believed to be originally from Estonia,
09:25
moves around from one country to another
09:28
as soon as the website is tried to shut down.
09:30
So you just can't shut these guys down.
09:32
They will switch from one country to another,
09:35
from one jurisdiction to another --
09:37
moving around the world,
09:39
using the fact that we don't have the capability
09:41
to globally police operations like this.
09:43
So the Internet is as if
09:46
someone would have given free plane tickets
09:48
to all the online criminals of the world.
09:50
Now, criminals who weren't capable of reaching us before
09:53
can reach us.
09:56
So how do you actually go around finding online criminals?
09:58
How do you actually track them down?
10:01
Let me give you an example.
10:03
What we have here is one exploit file.
10:05
Here, I'm looking at the Hex dump of an image file,
10:08
which contains an exploit.
10:12
And that basically means, if you're trying to view this image file on your Windows computer,
10:14
it actually takes over your computer and runs code.
10:17
Now, if you'll take a look at this image file --
10:20
well there's the image header,
10:23
and there the actual code of the attack starts.
10:25
And that code has been encrypted,
10:28
so let's decrypt it.
10:30
It has been encrypted with XOR function 97.
10:32
You just have to believe me,
10:34
it is, it is.
10:36
And we can go here
10:38
and actually start decrypting it.
10:40
Well the yellow part of the code is now decrypted.
10:42
And I know, it doesn't really look much different from the original.
10:44
But just keep staring at it.
10:47
You'll actually see that down here
10:49
you can see a Web address:
10:51
unionseek.com/d/ioo.exe
10:53
And when you view this image on your computer
10:59
it actually is going to download and run that program.
11:01
And that's a backdoor which will take over your computer.
11:03
But even more interestingly,
11:06
if we continue decrypting,
11:08
we'll find this mysterious string,
11:10
which says O600KO78RUS.
11:12
That code is there underneath the encryption
11:17
as some sort of a signature.
11:19
It's not used for anything.
11:21
And I was looking at that, trying to figure out what it means.
11:23
So obviously I Googled for it.
11:26
I got zero hits; wasn't there.
11:28
So I spoke with the guys at the lab.
11:30
And we have a couple of Russian guys in our labs,
11:32
and one of them mentioned,
11:34
well, it ends in RUS like Russia.
11:36
And 78 is the city code
11:38
for the city of St. Petersburg.
11:40
For example, you can find it from some phone numbers
11:42
and car license plates and stuff like that.
11:44
So I went looking for contacts in St. Petersburg,
11:47
and through a long road,
11:50
we eventually found this one particular website.
11:52
Here's this Russian guy who's been operating online for a number of years
11:56
who runs his own website,
11:59
and he runs a blog under the popular Live Journal.
12:01
And on this blog, he blogs about his life,
12:04
about his life in St. Petersburg --
12:06
he's in his early 20s --
12:08
about his cat,
12:10
about his girlfriend.
12:12
And he drives a very nice car.
12:14
In fact, this guy drives
12:16
a Mercedes-Benz S600
12:19
V12
12:21
with a six-liter engine
12:23
with more than 400 horsepower.
12:25
Now that's a nice car for a 20-something year-old kid in St. Petersburg.
12:27
How do I know about this car?
12:31
Because he blogged about the car.
12:33
He actually had a car accident.
12:35
In downtown St. Petersburg,
12:37
he actually crashed his car into another car.
12:39
And he put blogged images about the car accident --
12:41
that's his Mercedes --
12:43
right here is the Lada Samara he crashed into.
12:45
And you can actually see that the license plate of the Samara
12:49
ends in 78RUS.
12:52
And if you actually take a look at the scene picture,
12:54
you can see that the plate of the Mercedes
12:57
is O600KO78RUS.
12:59
Now I'm not a lawyer,
13:05
but if I would be,
13:07
this is where I would say, "I rest my case."
13:09
(Laughter)
13:12
So what happens when online criminals are caught?
13:14
Well in most cases it never gets this far.
13:17
The vast majority of the online crime cases,
13:20
we don't even know which continent the attacks are coming from.
13:22
And even if we are able to find online criminals,
13:25
quite often there is no outcome.
13:28
The local police don't act, or if they do, there's not enough evidence,
13:30
or for some reason we can't take them down.
13:33
I wish it would be easier;
13:35
unfortunately it isn't.
13:37
But things are also changing
13:39
at a very rapid pace.
13:42
You've all heard about things like Stuxnet.
13:45
So if you look at what Stuxnet did
13:48
is that it infected these.
13:51
That's a Siemens S7-400 PLC,
13:53
programmable logic [controller].
13:56
And this is what runs our infrastructure.
13:58
This is what runs everything around us.
14:01
PLC's, these small boxes which have no display,
14:04
no keyboard,
14:07
which are programmed, are put in place, and they do their job.
14:09
For example, the elevators in this building
14:11
most likely are controlled by one of these.
14:13
And when Stuxnet infects one of these,
14:17
that's a massive revolution
14:20
on the kinds of risks we have to worry about.
14:22
Because everything around us is being run by these.
14:25
I mean, we have critical infrastructure.
14:28
You go to any factory, any power plant,
14:30
any chemical plant, any food processing plant,
14:33
you look around --
14:35
everything is being run by computers.
14:37
Everything is being run by computers.
14:39
Everything is reliant on these computers working.
14:41
We have become very reliant
14:44
on Internet,
14:47
on basic things like electricity, obviously,
14:49
on computers working.
14:52
And this really is something
14:54
which creates completely new problems for us.
14:56
We must have some way
14:58
of continuing to work
15:00
even if computers fail.
15:02
(Laughter)
15:12
(Applause)
15:14
So preparedness means that we can do stuff
15:24
even when the things we take for granted
15:27
aren't there.
15:29
It's actually very basic stuff --
15:31
thinking about continuity, thinking about backups,
15:33
thinking about the things that actually matter.
15:36
Now I told you --
15:39
(Laughter)
15:42
I love the Internet. I do.
15:44
Think about all the services we have online.
15:48
Think about if they are taken away from you,
15:51
if one day you don't actually have them
15:54
for some reason or another.
15:56
I see beauty in the future of the Internet,
15:58
but I'm worried
16:01
that we might not see that.
16:03
I'm worried that we are running into problems
16:05
because of online crime.
16:07
Online crime is the one thing
16:09
that might take these things away from us.
16:11
(Laughter)
16:13
I've spent my life
16:16
defending the Net,
16:18
and I do feel that if we don't fight online crime,
16:21
we are running a risk of losing it all.
16:24
We have to do this globally,
16:28
and we have to do it right now.
16:31
What we need
16:34
is more global, international law enforcement work
16:36
to find online criminal gangs --
16:39
these organized gangs
16:41
that are making millions out of their attacks.
16:43
That's much more important
16:45
than running anti-viruses or running firewalls.
16:47
What actually matters
16:49
is actually finding the people behind these attacks,
16:51
and even more importantly,
16:53
we have to find the people
16:55
who are about to become
16:57
part of this online world of crime,
16:59
but haven't yet done it.
17:01
We have to find the people with the skills,
17:03
but without the opportunities
17:06
and give them the opportunities
17:08
to use their skills for good.
17:10
Thank you very much.
17:13
(Applause)
17:15

▲Back to top

About the speaker:

Mikko Hypponen - Cybersecurity expert
As computer access expands, Mikko Hypponen asks: What's the next killer virus, and will the world be able to cope with it? And also: How can we protect digital privacy in the age of government surveillance?

Why you should listen

The chief research officer at F-Secure Corporation in Finland, Mikko Hypponen has led his team through some of the largest computer virus outbreaks in history. His team took down the world-wide network used by the Sobig.F worm. He was the first to warn the world about the Sasser outbreak, and he has done classified briefings on the operation of the Stuxnet worm -- a hugely complex worm designed to sabotage Iranian nuclear enrichment facilities.

As a few hundred million more Internet users join the web from India and China and elsewhere, and as governments and corporations become more sophisticated at using viruses as weapons, Hypponen asks, what's next? Who will be at the front defending the world’s networks from malicious software? He says: "It's more than unsettling to realize there are large companies out there developing backdoors, exploits and trojans."

Even more unsettling: revelations this year that the United States' NSA is conducting widespread digital surveillance of both US citizens and anyone whose data passes through a US entity, and that it has actively sabotaged encryption algorithms. Hypponen has become one of the most outspoken critics of the agency's programs and asks us all: Why are we so willing to hand over digital privacy?

 

 

Read his open-season Q&A on Reddit:"My TED Talk was just posted. Ask me anything.

See the full documentary on the search for the Brain virus

More profile about the speaker
Mikko Hypponen | Speaker | TED.com